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(54) Abstract Title 

Accessing a network host computer from outside the network with improved security 

(57) An authorised user of a host network 1 1 such as an office network has a pager in the form of a PC card 
slotted into a user terminal T v To access office network 1 1 from outside, for example through a public 
switched network 12, the authorised user is given a one-time password by host computer 13 which is stored in 
the PC card pager. The PC card pager is then removed from the user terminal T t and inserted into a mobile 
terminal MT^for example a notebook computer). Using the mobile terminal the user requests access to the 
network 11 from outside by sending a username and encrypted authentication information comprising pager 
ID and one-time password to the host. The user is authenticated and allowed to log in to the network if this 
information corresponds to information registered in the host computer Encryption is performed by the PC 
card pager using a hash function, the authentication information and a random number generator. The mobile 
terminal may have a wireless or wired connection to the network. A desktop computer may also be used. The 
one-time password may be transferred to the PC card pager through the paging system. 
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1. Field of the invention 

The present invention generally relates to a 
communications system permitting authorized users to log in 
to a host computer or server and, in particular, to a login 
permission method and system from outside to the host computer 
with Improved security. 

In a premises network system to which a user can access 
from outside through a communications line, network security 
is one of the most important issues. A major focus of network 
security on computer systems like this is the prevention of 
system use by unauthorized persons. To protect the system from 
unauthorized use, the system requires a user to enter a password 
to verify that the user is authorized to access the network. 

According to a conventional security method, a user name 
and a user's authentication information are registered on the 
host computer in advance. When a user's mobile terminal has 
accessed to the host computer through a communications line, 
the user name is sent to the host computer and, if it matches 



the registered user name, then the user's authentication 
information is also sent to the host computer. In this way, 
only when both the user name and the user's authentication 
information match the registered ones, a one-time password is 
5 sent from the host computer to the mobile terminal. The mobile 
terminal is allowed to log in to the host computer using the 
one* time password. 

When an unauthorized person has known the user name and 
the authentication Information of the authorized user, however, 
10 the unauthorized person can get the one-time password easily, 
resulting in compromised security of the network. Further, the 
conventional technique fails to provide sufficiently rapid 
connection establishment because the one-time password 
transmission is performed between the host computer and the 
15 mobile terminal during the login process. 

An authentication method using secret -key encryption has 
been proposed in Japanese Patent Unexamined Publication No. 
5-327693. A base station transmits random data to a mobile 
terminal. At the mobile terminal, first and second encrypted 
20 authentication signals are produced based on the received 
random data, a first secret key of the mobile terminal, and 
a second secret key input by the subscriber, respectively. The 
encrypted authentication response data is transmitted to the 
base station. 

25 At the base station, the same encryption process is 
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performed to produce encrypted check data and matches it with 
the encrypted authentication response data received from the 
mobile terminal, if the produced encrypted data matches the 
received one, the authentication check is affirmative, 
5 In a combination of the conventional one-time password 

security method and the conventional authentication method 
using secret -key encryption, pluralities of data exchanges are 
needed for login between a mobile terminal and a host computer. 
Therefore, it Is very difficult to shorten the time required 
10 for login completion. 



An object of the present invention Is to provide a login 
permission method and system which can improve network security 
and efficiently perform a login process at a short time. 
15 According to the present invention, in a host -based 

network. Information required for outside login is previously 
registered with the host-based network. When an outside login 
request is received from a terminal through the communications 
line, it is determined whether user's login Information 
20 received is validated based on the registered information 
required for outside login. Only when the user's login 
information is validated, the terminal is permitted to log in 
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to the host-based network from outside. 

The user's login information is preferably a user name 
and a user's authentication information, wherein the user's 
authentication information is encrypted at the terminal and 
5 is decrypted at the host -based network according to a 
predetermined encryption scheme based on the registered 
information required for outside login- Further preferably, 
the registered information required for outside login include 
a unique information uniquely assigned to the terminal, such 
10 as an identification number assigned to a selective call 

receiver or a pager which can be detachably connected to the 
terminal. 

Preferably, the registered information required for 
outside login further include a one-time password that is 
15 temporarily assigned to the terminal by the host -based network 
when the information required for outside login is registered 
with the host -based network. 

Preferred features of the present invention will now be 
described, by way of example only, with reference to the accompanying 
drawings, In which:- 

Fig- 1 is a schematic block diagram showing the 

20 configuration of a network system including a login system 
according to the present invention; 
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Fig . 2 is a block diagram showing the detailed internal 
circuits of a host computer and a PC-card pager in an embodiment 
of a login system according to the present invention; 

Fig. 3 is a diagram showing a sequence of a successful 
5 login process in an embodiment of a login method according to 
the present invention; 

Fig. 4 is a diagram showing an operation of encryption 
process in the embodiment of the login method; 

Fig. 5 is a schematic diagram showing an operation of 
10 the embodiment of the login method when a mobile terminal fails 
to log in to the host computer; 

Fig. 6 is a schematic diagram showing another operation 
of the embodiment of the login method when a mobile terminal 
fails to log in to the host computer; and 

.5 Fig. 7 is a schematic diagram showing an operation of 

the embodiment of the login method when a mobile terminal 
successfully logs in to the host computer.' 
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As shown in Pig- 1, assuming that a network is provided 
in an office building 10 to provide services to authorized users . 
The network is composed of a premises switched network 11 which 
can be connected to a public switched network 12 outside the 
5 office, such as the public switched telephone network. 

Hereinafter, a combination of the premises switched network 
11 and the public switched network 12 is called a stationary 
switched network. The premises switched network 11 is 
connected to a host computer 13 which can provide services to 
10 a plurality of user terminals T X -T M installed within the office 
building 10. For example, an authorized user can log in to the 
host computer 13 through any user terminal by entering the 
correct password assigned to the user. 

Further, the respective authorized users have PC-card 
15 pager PG^PGn and mobile or portable terminals MTj-MT,, such as 
notebook computers. A PC-card pager is a PC card having a 
selective call receiver, or a pager, therein. As described in 
detail later, a user's PC- card pager stores necessary 
information including the pager identification number and the 
20 encryption table. The PC-card pager is inserted into the PC 
card slot (PCMCIA slot) of a mobile terminal and thereby the 
authorized user can log in to the host computer 13 from outside 
through the public switched network 12, In other words, by 
connecting the PC-card pager of the authorized user to the 
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mobile terminal, the user can also log in to the host computer 
13 outside the office building 10. 

A desktop computer with the communication function and 
the PC card slot can be also used Instead of a mobile terminal 
5 MT. That is, the user inserts his/her PC-card pager into the 
PC card slot of the desktop computer located outside the office 
and starts the outside login operation as will be described 
later. Hereinafter, the descriptions will be made in the case 
of a mobile terminal as an example. 
10 HOST AND PC -CARD PAGER 

Referring to Fig. 2, the host computer 13 is connected 
to the stationary switched network (11, 12) through an 
interface 101 which may be a modem or a set of digital service 
unit (DSU) and a terminal adapter (TA) . The host computer 13 
15 performs necessary controls including the login control 

according to the present invention by running control programs 
on a processor 102. 

The host computer 13 further includes a memory 103 for 
storing authorized user name information , an encryption table 
20 104, and a random number generator (RNG) 105. The authorized 
user name information includes the user name, the one-time 
password temporarily assigned to the user, -And the pager ID 
assigned to the PC-card pager PGj to be used by the authorized 
user. The authorized user name information is registered onto 
25 the memory 103 when receiving an outside login permission 
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request from a user terminal T a (J = l,2,~,N) in the office 
10. The memory 103, the encryption table 104, and the random 
number generator 105 are used to decrypt the encrypted 
authentication information received from the mobile terminal 
through the stationary switched network. As described later, 
only users who has been registered in the memory 103 and has 
sent the correct authentication information encrypted in a 
predetermined encryption scheme are permitted to log in to the 
host computer 13, 

A PC-card pager PG, is a PCMCIA card having encryption 
function and pager function. The PC-card pager PG, has an 
interface 201 which is designed to be connected to the PC card 
slot of a mobile terminal MT, (here, notebook computer) ♦ The 
PC-card pager PG a performs the encryption function and the pager 
function, which may be implemented by programs running on a 
processor 202. 

The PC -card pager PGj further includes a password memory 
203 for storing one-time password, a random number generator 
(RNG) 204, an encryption table 205, and a pager ID memory 206 
storing the pager ID assigned to the PC-card pager PGj. 

The one-time password, as will be described later, is 
transferred from the host computer 13 to the PC-card pager PG^ 
and then stored onto the password memory 203 when the PC-card 
pager PG 0 is connected to the user terminal Tj in the office 
10 and the user makes the outside login permission request. 



The encryption table 205, the random number generator 
204. and the pager ID memory 206 are used to encrypt the 
authentication information of the user. To successfully 
perform encryption at the PC-card pager PG, and decryption at 
5 the host computer 13, the encryption table 205 and the random 
number generator 204 of the PC-card pager PG, are the same as 
the encryption table 104 and the random number generator 105 
of the host computer 13, respectively. 

The PC -card pager PG, further includes a radio receiver 
10 207 which is used to receive a paging or selective calling signal 
from a radio base station (not shown). As will be described 
later, the pager function may be used to receive the one-time 
password from the host computer 13 through a paging system. 
The user terminals T^T* each have a PCMCIA slot into which 
15 the PC-card pager PG, is inserted for data communication. More 
specifically, the pager ID is sent from the PC-card pager PG, 
to the host computer 13 and the one-time password is sent from 
the host computer 13 to the PC-oard pager PGj. 

The mobile terminals MT^MT, each have the PCMCIA slot 
20 for the PC -card pager and a data communication means for 
communicating with the host computer 13 through the stationary 
switched network (11, 12). The data communication means may 
be a modem or a set of digital service unit (DSU) and a terminal 
adapter (TA) . Alternatively, the data communication means may 
25 be a wireless communication means. Further, the mobile 



terminals MTj-MT,, each have a central processing unit (CPU) on 
which a control program for a PC-card pager may run. 

As described before, the present invention is not limited 
to mobile terminals MT 1 -MT K . A desktop computer with the 
5 communication function and the PC card slot can be also used 
Instead of a mobile terminal MT, 

LOGIN SEQUENCE 
Next, the login procedure will be described in the case 
where a user having a mobile terminal MT^ and a PC- card pager 
10 PGj therewith logs in to the host computer 13 through the 
stationary switched network. 

When the user intends to log in to the host computer 13 
outside the office 10, the user Inserts the PC-card pager PGj 
of the user's own into the PC card slot of the in-use terminal 
15 Tj and then makes the outside login permission request to the 
host computer 13 through the ln-use terminal T,. When receiving 
the outside login permission request from the terminal T Jf the 
host computer 13 reads the pager ID from the PC-card pager PG 0 
and stores the pager ID and the user name as authorized user 
20 name information onto the memory 103 . Alternatively , the pager 
ID may be entered by the user through the keyboard of the 
terminal T,- 

Next, the host computer 13 informs the user of the 
one-time password which should be used in the case of outside 
25 login through the mobile terminal MT,. The one-time password 
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may be displayed on screen of the terminal Tj. Here, assuming 
that the one-time password Is transferred from the host 
computer 13 to the password memory 203 of the PC-card pager 

5 Thereafter, the user logs out and goes out with the mobile 

terminal MT, and the PC-card pager PG,. 

Referring to Fig. 3, in the case where the user needs 
services provided by the host computer 13 from outside, the 
user inserts the PC -card pager PG, into the PC card slot of the 
0 mobile terminal MT, and then the mobile terminal MT, is started 
making a connection setup request to the stationary switched 
network (step S301). 

If it is possible to establish the requested connection, 
the stationary switched network sends an acknowledgement (ACK) 
back to the mobile terminal MT, and thereby the connection from 
the mobile terminal MT, to the stationary switched network is 
established (step S302). Subsequently, the stationary 
switched network sends a connection setup request to the host 
computer 13 (step S303) and, when receiving the connection 
setup acknowledgement from the host computer 13 (step S304), 
the connection between the stationary switched network and the 
host computer 13 . Thereafter, the stationary, switched network 
sends a connection setup acknowledgement back to the mobile 
terminal MT, and thereby the connection between the mobile 
terminal MT, and the host computer 13 is established (step 



S305). 

When the connection has been established, the host 
computer 13 sends a user name request for the user name 
information of the user to the stationary switched network 
5 (step S306). When receiving the user name request,. the 

stationary switched network sends the user name request to the 
mobile terminal MT, (step S307). 

When receiving the user name request from the host 
computer 13 through the stationary switched network, the user 
10 is prompted to enter a user name through the keypad of the mobile 
terminal MTj. The user name may be stored in a memory and be 
read out from the memory in response to the user name request. 
The user name is sent to the stationary switched network (step 
S308) and further to the host computer 13 (step S309). 
15 When receiving the user name, the processor 102 of the 

host computer 13 searches the memory 103 for the received user 
name. If found, the processor 102 determines that the user name 
has been registered as an outside login user name and then sends 
an authentication request to the stationary switched network 
20 (step S310) and further to the mobile terminal MT, (step S311). 
If. not found, the processor 102 determines that the user name 
has never been registered as an outside login user name and 
stops the login process to reject the login request. 

When receiving the authentication request from the host 
25 computer 13, the user is prompted to enter the authentication 
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information through the keypad of the mobile terminal MT,. The 
authentication information may be stored in a memory and be 
read out from the memory in response to the received 
authentication request- When the authentication information 
5 has been entered, it is transferred to the PC-card pager PGj. 
The processor 202 of the PC-card pager PG 3 encrypts the 
authentication information using the pager ID, the one-time 
password, the encryption table 205, and the random number 
generator 204 . The details of the encryption will be described 
10 later - 

The encrypted authentication information is sent back 
to the mobile terminal MTj and is then transmitted to the 
stationary switched network (step S312) and further to the host 
computer 13 (step S313). 
15 At the host computer 13, the encrypted authentication 

information received from the mobile terminal MT 3 is decrypted 
using the encryption table 104, the random number generator 
105 and the authorized user name information in the way similar 
to the encryption steps performed in the PC-card pager PG,. 
20 Then, the processor 102 compares the decrypted 

authentication information with the registered authentication 
information stored in the memory 103, If the decrypted 
authentication information matches the registered one, the 
host computer 13 sends a login permission message to the 
25 stationary switched network (step S314) and further to the 



mobile terminal MT, (step S315). In this manner, the user can 
obtain desired services from the host computer 13 (step S316) - 
Contrarily, If the decrypted authentication information does 
not match the registered one, the login is rejected. 
5 ENCRYPTION 

Referring to Fig. 4, the encryption of the authentication 
information is performed at the PC-card pager. When the user 
enters the authentication information, the processor 202 of 
the PC -card pager PGj reads the pager ID from the pager ID memory 
10 206 (step S401) and the one-time password from the password 
memory 203 (step S402). Then, the processor 202 calculates a 
Hash value H from the one-time password using the Hash function 
(step S403) . 

The processor 202 initializes the random number 
15 generator 204 according to the Hash value H and then obtains 
a random number RN T from the random number generator 104 
according to the pager ID (step S404) . Further, the processor 
202 converts the random number RN T to a number ft? ranging from 
0 to 255 by dividing the random number RN,. by 256 to obtain the 
20 reminder thereof (step S405). 

Subsequently, the processor 202 reads encryption value 
from the location of the encryption table 205 which is addressed 
with the reminder (step S406). Finally, the processor 202 
excluslve-ORs the encryption value read from the encryption 
25 table 205 and the authentication information entered by the 



user to produce encrypted authentication information (step 
S407). The encrypted authentication information is 
transmitted to the host computer 13. 

When receiving the encrypted authentication information , 
5 the decryption steps are performed in the similar way. More 
specifically, the processor 102 of the host computer 13 reads 
the pager ID and the one-time password of the authorized user 
name from the memory 103. Then, the processor 102 calculates 
a Hash value H from the one-time password using the Hash function 
10 and initializes the random number generator 105 according to 
the Hash value H and then obtains a random number RN T from the 
random number generator 105 according to the pager ID . Further , 
the processor 102 converts the random number RN T to a number 
ranging from 0 to 255 by dividing the random number RN T by 
256 to obtain the reminder R, thereof. 

Subsequently, the processor 102 reads encryption value 
from the location of the encryption table 104 which is addressed 
with the reminder R T . Finally, the processor 102 exclusive-ORs 
the encryption value read from the encryption table 104 and 
the encrypted authentication information received from the 
mobile terminal to reproduce the original authentication 
information. The decrypted authentication information is 
matched with the registered one. 

LOGIN REJECTION AND PERMISSION 
Figs. 5 and 6 shows login rejection cases. In the case 
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shown in Fig- 5, the user is not authorized to log in to the 
host computer 13 from outside. That is, the user has not been 
registered onto the memory 103 for outside login permission . 
Since neither a one-time password nor a pager ID for use in 
encryption is registered, when the login request of the user 
is made from outside through the stationary switched network, 
the host computer determines that the user is an unauthorized 
person. 

In the case shown in Pig. 6, the user has been properly 
registered onto the memory 103 for outside login permission. 
Therefore , a one-time password and a pager ID for use in 
encryption are registered on the host computer 13. In the case 
where the user does not have the PC -card pager therewith , 
however, the encryption of the authentication information 
cannot be performed properly. Therefore, the host computer 
also determines that the user is an unauthorized person. 

Referring to Fig- 7, the user has been properly 
registered onto the memory 103 for outside login permission 
and the authentication information is properly encrypted using 
the pager ID and the one-time password. Therefore, the host 
computer determines that the user is an authorized person and 
permits the user to log in to the host computer 13 . 

As another embodiment of the present invention, the 
paging system may be used to transfer the one-time password 
from the host computet 13 to the PC- card pager. More 



specifically, the host computer 13 is connected to the paging 
system and calls up the PC-card pager that the user has. When 
the PC-card pager has been successfully called, the one-time 
password is transferred to the PC-card pager through the paging 
system and is stored onto the password memory 203 of the PC-card 
pager ?G 3 through the radio receiver 207. 

As described above, according to the present invention, 
only a user who has been authorized to log in to the host computer 
from outside can log in to the host computer. Especially, the 
encryption of authentication information is performed based 
on the pager ID of the PC-card pager of the user's own and the 
one-time password previously assigned to the user. Therefore, 
the conditions required for login from outside become more 
strict, resulting in improved network security. 

Since there is no need to send a one-time password from 
the host computer to the mobile terminal at a login, the login 
process can be rapidly completed. 
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Each feature disclosed in this specification (which term 
includes the claims) and/or shown in the drawings may be 
incorporated in the invention independently of other disclosed 
5 and/or illustrated features. 

Statements in this specification of the "objects of the 
invention" relate to preferred embodiments of the invention, but 
not necessarily to all embodiments of the invention falling 
within the claims. 
10 The description of the invention with reference to the 

drawings is by way of example only. 

The text of the abstract filed herewith is repeated here as 
part of the specification. 

15 a login permission method improving network security and 

efficiently performing a login process is disclosed. In a host- 
based network, information required for outside login is 
previously registered with the host -based network. When an 
outside login request is received from a terminal through the 

20 communications line, it is determined whether user's login 
information is validated based on the registered information 
required for outside login. Only when the user's login 
information is validated, the terminal is permitted to log in to 
the host -based network from outside. 

25 



r 
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Claims : 

1 . A login permission method to a host-based network 
from outside through a communications line, characterized by- 
comprising the steps of: 

registering information required for outside 
5 login with the host-based network; 

determining whether user's login information 
received from a terminal through the communications line is 
validated based on the registered information required for 
outside login; and 
10 permitting the terminal to log in to the host- 

based network from outside only when the user's login 
information is validated. 

2. The login permission method according to claim 1, 
wherein the user's login information is a user name and a user's 
authentication infonuation, wherein the user's authentication 
information is encrypted at the terminal and is decrypted at 
the host -based network according to a predetermined encryption 
scheme based on the registered Information required for outside 
login • 

3. The login permission method according to claim 2, 
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wherein the registered Information required for outside login 
include a unique information uniquely assigned to the terminal. 

4 . The login permission method according to claim 3 , 
wherein the unique information is an identification number 
assigned to an accessory device incorporated in the terminal. 

5. The login permission method according to claim 4, 
wherein the accessory device is a radio selective call receiver 
having the identification number previously assigned thereto. 

6 . The login permission method according to claim 3 , 
wherein the registered Information required for outside login 
further include a one-time password that is temporarily 
assigned to the terminal by the host -based network when the 
information required for outside login is registered with the 
host -based network. 

7. The login permission method according to claim 6, 
wherein the unique information is an Identification number 
assigned to an accessory device incorporated in the terminal. 

8. The login permission method according to claim 7. 
wherein the accessory device is a radio selective call receiver 
having the identification number previously assigned thereto. 
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9. A login permission system for permitting a 
terminal to log in to a host computer of a network from outside 
through a communications line, 

the host computer characterized by comprising: 
a registration memory for registering information 
required for outside login; and 

a host processor for determining whether user's 
login information received from the terminal through the 
communications line is validated based on the registered 
information required for outside login and, only when the 
user's login Information is validated, permitting the terminal 
to log in to the host computer from outside. 

10. The login permission system according to claim 9, 
wherein the user's login Information is a user name and a user's 
authentication information, wherein 
the terminal comprises: 

a memory storing the registered information required for 
outside login; and 

a encryption processor for encrypting the user's 
authentication Information according to a predetermined 
encryption scheme based on the registered information required 
for outside login to produce encrypted user's authentication 
information. 
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wherein the host processor decrypts the encrypted 
user's authentication information received from the terminal 
according to the predetermined encryption scheme based on the 
registered information required for outside login to reproduce 
the user's authentication information. 

11 . The login permission system according to claim 10, 
wherein the registered information required for outside login 
include a unique information uniquely assigned to the terminal. 

12. The login permission system according to claim 11. 
wherein the unique information is an identification number 
assigned to an accessory device incorporated in the terminal. 

13. The login permission system according to claim 12, 
wherein the accessory device is a radio selective call receiver 
having the identification number previously assigned thereto. 

14 . The login permission system according to claim 11, 
wherein the registered Information required for outside login 
further include a one-time password that is temporarily 
assigned to the terminal by the host computer when the 
information required for outside login is registered with the 
host computer. 
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15. The login permission system according to claim 14, 
wherein the unique information is an identification number 
assigned to an accessory device incorporated in the terminal . 

16. The login permission system according to claim 15, 
wherein the accessory device is a radio selective call receiver 
having the identification number previously assigned thereto. 

17. The login permission system according to any of claims 
10 to 16, wherein the terminal comprises: 

a computer with a communication function, having a PC card 
slot therein; and 

a PC-card pager which is detachably connected to the PC card 
slot, the PC-card pager comprising the memory and the encryption 
processor. 

18. A login permission method or login permission system 
substantially as herein described with reference to the 
accompanying drawings . 
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